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CLAIMS 
I claim: 

1 . A method of sending a digital message between a sender and a 
recipient in a public-key encryption scheme comprising the sender, the 
recipient and an authorizer wherein the digital message is encrypted by the 
sender and decrypted by the recipient, the method comprising: 

(a) generating a recipient public key/ recipient private key pair; wherein 
the recipient private key is a secret of the recipient; 

(b) generating a recipient encryption key; 

(c) selecting a key generation secret that is a secret of the authorizer; 

(d) generating a recipient decryption key using at least the key 
generation secret and the recipient encryption key, wherein a key formed from 
the recipient decryption key and a key formed from the recipient encryption 
key are a public key/ private key pair; 

(e) encrypting the digital message using at least the recipient public 
key and the recipient encryption key to create an encrypted digital message; 
and 

(f) decrypting the encrypted digital message using at least the recipient 
private key and the recipient decryption key. 

2. The method of claim 1 , wherein the recipient encryption key is 
generated from information comprising the identity of the recipient. 
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3. The method of claim 1 , wherein the recipient encryption key is 
generated from information comprising a parameter defining a validity period 
for the recipient decryption key. 

4. The method of claim 1 , wherein the recipient encryption key is 
generated from information comprising the recipient public key. 

5. The method of claim 1 , wherein the recipient encryption key is 
generated from information comprising the identity of the recipient, the 
recipient public key, and a parameter defining a validity period for the recipient 
decryption key 

6. The method of claim 1 , wherein the recipient decryption key is 
generated by the authorizer according to a schedule known to the sender. 

7. The method of claim 6, wherein the recipient encryption key is 
generated using at least information comprising the schedule. 

8. The method of claim 1 , wherein the recipient private key/ public 
key pair is generated using at least one system parameter issued by the 
authorizer. 

9. The method of claim 1 , wherein the recipient decryption key is 
generated by a method comprising: 
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(a) generating a first cyclic group d of elements and a second cyclic 

group G 2 of elements; 

(b) selecting a function e capable of generating an element of the 
second cyclic group <G 2 from two elements of the first cyclic group d; 

(c) selecting a generator P of the first cyclic group d; 

(d) selecting a random key generation secret s c associated with and 
known to authorizes 

(e) generating a key generation parameter Q = s c P\ 

(f) selecting a first function Hi capable of generating an element of the 

first cyclic group d from a first string of binary digits; 

(g) selecting a second function H 2 capable of generating a second 
string of binary digits from an element of the second cyclic group G 2 ; 

(h) generating an element P e = Hi(lnf B ), wherein lnf B comprises a 

string of binary digits ; and 

(i) generating a secret element S = s c Pb associated with the 

recipient; wherein the secret element is the recipient decryption key. 



10. The method of claim 9, wherein lnf B comprises the identity of the 
recipient, ID™, the recipient public key, and a parameter defining a validity 
period for the recipient decryption key. 
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il . The method of claim 9, wherein both the first group Gi and the 
second group G 2 are of the same prime order q. 

! 2. The method of claim 9 wherein the first cyclic group G, is an 
additive group of points on a supersingular elliptic curve or abelian variety, 
and the second cyclic group G 2 is a multiplicative subgroup of a finite field. 

1 3. The method of claim 9 wherein the function e is a bilinear, non- 
degenerate, and efficiently computable pairing. 

14. The method of claim 9 wherein: 
s c is an element of the cyclic group Z/gZ; 

Q is an element of the second cyclic group G 2 ; 

element P B is an element of the first cyclic group d;and 

the secret element S is an element of the first cyclic group G,. 

15. The method of claim 9, wherein the digital message M is 
encrypted by a method comprising: 

generating the element P' B = Hi<ID re c), wherein ID rec comprises the 
identity of the recipient and wherein Hv is a function capable of generating an 
element of the first cyclic group 6, from a string of binary digits; 

selecting a random key generation secret r; and 

encrypting the digital message M to form a ciphertext C; wherein C is 

set to be: 
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C = [rP, M © H 2 (g r )], where g = e(Q, P B )e(s B P, P'e)e G 2 . 

1 6. The method of claim 1 , wherein the recipient encryption key is 
generated from a document and the recipient decryption key is the 
authorizer's signature on the document. 

17. The method of claim 9, wherein the digital message M is 
encrypted by a method comprising: 

generating the element P' B = Hr(ID rec ) wherein H v is a function 
capable of generating an element of the first cyclic group d from a string of 

binary digits; 

choosing a random parameter a e {0,1} n ; 

set a random key generation secret r= H 3 (o\ M); and 

encrypting the digital message M to form a ciphertext C; wherein C is 

set to be: 

C = [rP, M © H 2 (g r ), E H4<d)(M)], where g = e(Q, P B )e(s B P, Fe)e G 2 , 
wherein H 3 is a function capable of generating an integer of the cyclic group 
Z/gZ from two strings of binary digits, H 4 is a function capable of generating 

one binary string from another binary string, E is a secure symmetric 
encryption scheme, and mp) < s the ke y used witn E - 



1 8. A method of sending a digital message between a sender an 
a recipient in a public-key encryption scheme comprising the sender, the 
recipient and a plurality of authorizes, the plurality of authorizers including i 
least a root authorizer and n lower-level authorizers in a hierarchy between 
the root authorizer and the recipient, wherein n > 1, the method comprising 
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(a) generating a recipient public key/ private key pair for the recipient; 
wherein the recipient private key is a secret of the recipient; 

(b) generating a recipient encryption key using identity information of at 
least one of the recipient's ancestors; 

(c) selecting a root key generation secret that is a secret of the root 
authorizes 

(d) generating a root key generation parameter based on the root key 
generation secret; 

(e) generating a recipient decryption key such that the recipient 
decryption key is related to the recipient encryption key, the root key 
generation secret and the associated root key generation parameter; 

(f) encrypting the digital message using the recipient public key and a 
recipient encryption key to create an encrypted digital message, wherein a 
key formed from the recipient decryption key and a key formed from the 
recipient encryption key are a public key/ private key pair; and 

(h) decrypting the encoded digital message to recover the digital 
message using at least the recipient private key and the recipient decryption 
key. 

19. The method of claim 1 8, wherein the recipient encryption key is 
generated from information comprising the identity of the recipient. 



20. The method of claim 1 8, wherein the recipient encryption key is 
generated from information comprising a parameter defining a validity period 
for the recipient decryption key. 
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21 . The method of claim 18, wherein the recipient encryption key is 
generated from information comprising the recipient public key. 

22. The method of claim 18, wherein the recipient encryption key is 
generated from information comprising the identity of the recipient, the 
recipient public key, and a parameter defining a validity period for the recipient 
decryption key. 

23. The method of claim 18, wherein the recipient decryption key is 
generated according to a schedule known to the sender. 

24. The method of claim 1 8, wherein the recipient private key/ public 
key pair is generated using system parameters issued by the authorizer. 

25. The method of claim 1 8, wherein the recipient decryption key is 
related to the root key generation secret and the associated root key 
generation parameter. 

26. The method of claim 1 8, wherein the plurality of authorizers 
further includes at least m lower-level authorizers in the hierarchy between th€ 
root authorizer and the sender, wherein m > 1 , and wherein / of the m 
authorizers in the hierarchy are common ancestors to both the sender and the 
recipient, wherein authorizer is the lowest common ancestor authorizer 
between the sender and the recipient, and wherein / > 1, the method further 
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comprising: 

selecting a lower-level key generation secret for each of the m lower- 
level authorizes in the hierarchy between the root authorizer and the sender; 
and 

generating a sender decryption key such that the sender decryption 
key is related to at least the root key generation secret and one or more of the 
m lower-level key generation secrets associated with the m lower-level 
authorizers in the hierarchy between the root authorizer and the sender; 

wherein the message is encrypted using at least sender decryption key 
and one or more of the lower-level key generation parameters associated with 
the (m - / +1) authorizers between the root authorizer and the sender that are 
at or below the level of the lowest common ancestor authorizer,, but not using 
any of the lower-level key generation parameters that are associated with the 
(/ - 1) authorizers above the lowest common ancestor authorizer/; and 
wherein the ciphertext is decrypted using at least the recipient 
decryption key and one or more of the lower-level key generation parameters 
associated with the (n - / + 1) authorizers between the root authorizer and the 
sender that are at or below the level of the lowest common ancestor 
authorizer,, but not using any of the lower-level key generation parameters 
that are associated with the (/- 1) authorizers that above the lowest common 
ancestor authorizer,. 



27. A method of generating a decryption key for an entity in an 
encryption system including a plurality of authorizers, the plurality of 
authorizers including at least a root authorizer and n lower-level authorizers i 
the hierarchy between the root authorizer and the entity, wherein n > 1, the 

method comprising: 

generating a root key generation secret that is known to the root 

authorizer; 

generating a root key generation parameter based on the root key 



WO 2004/021638 



PCT/US2003/026834 



-58- 

generation secret; 

generating a lower-level key generation secret for each of the n lower- 
level authorizes, wherein each lower-level key generation secret is known to 
its associated lower-level authorizer; 

generating a lower-level key generation parameter for each of the n 
lower-level authorizes, wherein each lower-level key generation parameter is 
generated using at least the lower-level key generation secret for its 
associated lower-level authorizer; 

establishing a decryption key generation schedule defining a validity 
period for a decryption key for the entity; 

generating the decryption key for the entity such that the decryption 
key is related to at least the root key generation secret and one or more of the 
lower-level key generation secrets; and 

providing the decryption key to the entity. 

28. The method of claim 27, wherein the decryption key for the 
entity is related a parameter establishing a validity period. 

29. A method of generating a decryption key for a recipient z in an 
encryption system, wherein the recipient z is n+1 levels below a root 
authorizer in the hierarchy, and wherein the recipient is associated with a 

recipient ID-tuple (ID z1 ID 2(n+ i)) that includes identity information ID z(n+ D 

associated with the recipient and identity information ID Z , associated with each 
of n lower-level authorizes in the hierarchy between the root authorizer and 
the recipient, the method comprising: 

generating a first cyclic group Gi of elements and a second cyclic 

group <G 2 of elements; 

selecting a function e capable of generating an element of the second 
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cyclic group G 2 from two elements of the first cyclic group Gv, 
selecting a root generator P 0 of the first cyclic group G-r, 

selecting a random root key generation secret s 0 associated with and 
known to the root authorizer; 

generating a root key generation parameter Qo = s 0 P 0 ; 

selecting a first function Hi capable of generating an element of the first 
cyclic group Gi from a first string of binary digits; 

selecting a second function H 2 capable of generating a second string of 
binary digits from an element of the second cyclic group G 2 ; 

generating a element P z/ for each of the n lower-level authorizes, 
wherein P z/ = Hi(IDi ID Z/ ) for 1</<n; 

selecting a lower-level key generation secret for each of the n lower- 
level authorizers, wherein each lower-level key generation secret s z/ is known 
to its associated lower-level authorizer; 

generating a lower-level secret element S zi for each of the n lower-level 

authorizers, wherein S zi - S z( m) + s^Ps/for 1 < / < n, wherein S 0 = Qo, 

generating a lower-level key generation parameter Q 2/ for each of the n 

lower-level authorizers, wherein Q z , = s z/ P 0 for 1 < / < n; 

generating a recipient element P Z (n+i) = Hi(ID z i, . . . , ID z(n ), lnf (n +i)) 

associated with the recipient, wherein P z(n+ i) is an element of the first cyclic 

group Gi and wherein lnf (n+ D is a string of binary digits ; and 

generating a recipient decryption key 
c = s +s P = V"*V , P. associated with the recipient. 
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30. The method of claim 29, wherein the recipient element 
P z(n+ i) = Hi(ID z1> .... ID Z („ + ,), lnf (n+ i)) and wherein lnf (n+ i) comprises the 
identity of the recipient and a validity period for the identity-based decryption 
key. 

31 . The method of claim 29, wherein lnf (n+ i) further comprises a 
recipient public key generated by the recipient. 

32. The method of claim 29, wherein both the first group Gi and the 
second group G 2 are of the same prime order q. 

33. The method of claim 29, wherein the first cyclic group Gi is an 

additive group of points on a supersingular elliptic curve or abelian variety, 
and the second cyclic group G 2 is a multiplicative subgroup of a finite field. 

34. The method of claim 29, wherein: the function e is a bilinear, 
non-degenerate, and efficiently computable pairing. 

35. The method of claim 29, wherein: 
so is an element of the cyclic group Z/qZ; 

Qo is an element of the first cyclic group Gi; 
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each of the elements P zi is an element of the first cyclic group G,; 

each of the lower-level key generation secrets s z/ is an element of the 
cyclic group Z/gZ; 

each secret element S zl is an element of the first cyclic group d ; 

each of the lower-level key generation parameters Q z , is an element of 
the first cyclic group d; 

the recipient element P 2(n+ i) is an element of the first cyclic group d; 



and 



61. 



the recipient decryption key S z(n+1 , is an element of the first cyclic group 



36. A method of encrypting and decrypting a digital message M 
communicated between a sender y and a recipient z in a hierarchical 
certificate-based encryption system, wherein the recipient z is n+1 levels 
below a root authorizer in the hierarchy, and wherein the recipient is 

associated with a recipient ID-tuple (ID* ID^ that includes identity 

information ID**) associated with the recipient and identity information ID Z/ 
associated with each of n lower-level authorizers in the hierarchy between the 
root authorizer and the recipient, the method comprising: 

generating a recipient public key/ private key pair for the recipient; 
wherein the recipient private key is known to the recipient; 

generating a first cyclic group d of elements and a second cyclic 

group &2 of elements; 

selecting a function <§ capable of generating an element of the second 
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cyclic group G 2 from two elements of the first cyclic group Gi; 
selecting a root generator Po of the first cyclic group Gi; 

selecting a random root key generation secret s 0 associated with and 
known to the root authorizer; 

generating a root key generation parameter Q 0 = s 0 Po; 

selecting a first function Hi capable of generating an element of the first 
cyclic group d from a first string of binary digits; 

selecting a second function H 2 capable of generating a second string of 
binary digits from an element of the second cyclic group G 2 ; 

generating an element P z/ for each of the n lower-level CAs, wherein 
Pzi = HiODl IDr/) for 1 < / < n; 

selecting a lower-level key generation secret s r/ for each of the n lower- 
level authorizers, wherein each lower-level key generation secret s zi is known 
to its associated lower-level authorizer; 

generating a lower-level secret element S z , for each of the n lower-level 

authorizers, wherein S zi = S Z(M ) + s z( /.i)P z ,for 1 < / < n, wherein S zo = Q 0 ; 

generating a lower-level key generation parameter Q z/ for each of the n 
lower-level authorizers, wherein Q z/ - = s z/ P 0 for 1 < / < n; 

generating a recipient element P z(n +D = Hi(ID 2 i, . . . , ID z(n) , lnf( n +i)) 
associated with the recipient, wherein P z(n+ i) is an element of the first cyclic 
group Gi and wherein lnf (n+ i) is a string of binary digits; 

generating a recipient secret element 
S — S 4-5 P =y^" + V n P. associated with the recipient, wherein 

lnf (n+ D comprises a validity period for the recipient secret element; 

encoding the digital message to generate a ciphertext using at least 
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the recipient public key, the root encryption parameter Q 0 and lnf (n+ i); and 

decoding the ciphertext C to recover the digital message M using at 
least the recipient private key, the lower-level key generation parameters Q z/ 
and the recipient secret element S z(n +i). 

37. The method of claim 36 wherein: both the first group d and the 
second group G 2 are of the same prime order q. 

38. The method of claim 36, wherein: 

the first cyclic group Gi is an additive group of points on a 

supersingular elliptic curve or abelian variety, and the second cyclic group G 2 
is a multiplicative subgroup of a finite field. 

39. The method of claim 36, wherein: 

the function e is a bilinear, non-degenerate, and efficiently 
computable pairing. 

40. The method of claim 36, wherein: 
So is an element of the cyclic group Z/qZ; 

Q 0 is an element of the first cyclic group Gi; 

each of the elements P zi is an element of the first cyclic group Gi; 

each of the lower-level key generation secrets s 2i is an element of the 
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cyclic group Z/gZ; 

each secret element S z , is an element of the first cyclic group d; 

each of the lower-level key generation parameters Q z/ is an element of 
the first cyclic group d; 

the recipient element F z(n+ i) is an element of the first cyclic group d; 

and 

the recipient secret element S z(/1+1) is an element of the first cyclic group 

d. 

41 . The method of claim 36, wherein encoding the message M 
further comprises: 

selecting a random parameter r, and 

generating the ciphertext C = [rP, V], wherein V = M© H 2 (gO, wherein 

g=e(P' B , s B P)n"!!e(Pj 5 ^-n/ > ) 

wherein s s P is the recipient public key, P'b is Hi(lnf (n+ i)) and Pj=H-i(s z0 - 

1} P, lnf(n+1)); and 

decoding the ciphertext C further comprises: 
recovering the digital message Mfrom 



M = V © H 2 (e(rP, S z(n+ i))). 
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42. The method of claim 36, wherein both the first group d and the 
second group G 2 are of the same prime order q. 



43. The method of claim 36, wherein the first cyclic group Gi is an 

additive group of points on a supersingular elliptic curve or abelian variety, 
and the second cyclic group G 2 is a multiplicative subgroup of a finite field. 



44. The method of claim 36, wherein the function <§ is a bilinear, 
non-degenerate, and efficiently computable pairing. 

45. The method of claim 36, wherein: 
s 0 is an element of the cyclic group Z/qZ; 

Qo is an element of the first cyclic group d; 

each of the elements P z/ is an element of the first cyclic group d; 

each of the lower-level key generation secrets s zi is an element of the 
cyclic group Z/qZ; 

each secret element S z , is an element of the first cyclic group d; 

each of the lower-level key generation parameters Q zi is an element c 
the first cyclic group d; 

the recipient element P z(n+ D is an element of the first cyclic group d; 
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the recipient secret element S z(n+ i) is an element of the first cyclic group 

Gi; 

r is an element of the cyclic group Z/o/Z; and 
g is an element of the second cyclic group G 2 . 

46. The method of claim 36, further comprising: 

selecting a third function tf 3 capable of generating an integer of the 

cyclic group Z/q/Z from a two strings of binary digits; and 

selecting a fourth function H 4 capable of generating one binary string 
from another binary string; 

wherein encoding the message M further comprises: 



generating the ciphertext C = [U 0 , U 2 U t , V, W\> wherein U 0 

= rs B P and = rP zi for 2 < / < n+1 , wherein V = M e H 2 (gO, and wherein 

g _ g(Q 0( p z1 ) and s B P is the recipient public key, wherein g = e(Qo, P 2 i). and 

wherein W= E H 4(o)(M), E is a secure symmetric encryption scheme, and H 4( o) 

is the key used with E; and 

wherein decoding the ciphertext C further comprises: 

recovering the random binary string a using 



choosing a random parameter a e {0,1}"; 



set a random key generation secret r = H 3 (o, M); and 



a = V®H 2 




mo) (W). 
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47. The method of claim 46, wherein both the first cyclic group Gi 
and the second cyclic group G 2 are of the same prime order q. 



48. The method of claim 46, wherein the first cyclic group Gi is an 
additive group of points on a supersingular elliptic curve or abelian variety, 
and the second cyclic group G 2 is a multiplicative subgroup of a finite field. 



49. The method of claim 46, wherein the function e is a bilinear, 
non-degenerate, and efficiently computable pairing. 

50. The method of claim 46, further comprising authenticating the 
ciphertext C by: 

computing an experimental random integer f = H 3 (cr, M); and 

confirming that U 0 = r'Po and Ui = fP* for 2 < / < n+1 . 



51 . The method of claim 46, wherein: 
so is an element of the cyclic group Z/qfZ; 

Qo is an element of the second cyclic group G 2 ; 
each of the elements P zi is an element of the first cyclic group Gi; 
each of the lower-level key generation secrets s zi is an element of the 
cyclic group ZlqZ; 
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each secret element S 2i is an element of the first cyclic group 61 ; 

each of the lower-level key generation parameters Q z; is an element of 
the first cyclic group d; 

the recipient element P 2 (n+n is an element of the first cyclic group d; 
the recipient secret element S z(n+ i) is an element of the first cyclic group 

d; 

r is an element of the cyclic group UqZ; and 
g is an element of the second cyclic group G 2 . 

52. The method of claim 26, wherein the plurality of authorizers 
further includes at least m lower-level authorizers in the hierarchy between the 
root authorizer and the sender y, wherein m > 1 , wherein / of the authorizers 

in the hierarchy are common hierarchical ancestors to both the sender y and 
the recipient z, wherein / > 1 , and wherein the recipient y is associated with a 

recipient ID-tuple (ID y1 , . . . , ID^d) that includes identity information ID y(m+ i) 
associated with the sender y and identity information ID y/ associated with each 
of K lower-level authorizers in the hierarchy between the root authorizer and 
the sender y, the method further comprising: 

generating an element Py, for each of the m lower-level authorizers, 

wherein Py, = H^\D^, .... \D yi ) for 1 < / < m, and wherein P yi = P zi for all /' 

</; 
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selecting a lower-level key generation secret s yi for each of the m 
lower-level authorizes, wherein s yi = s z , for all / < /; 

generating a lower-level secret element S y/ for each of the m lower- 
level authorizes, wherein S y/ - = S^-d + s^Pyi for 1 < / < m, and wherein 

Syi = S zi for all /' < /; 

generating a lower-level key generation parameter Qy, for each of the m 
lower-level CAs, wherein Q yi = s y/ P 0 for 1 < / < m , and wherein Q y/ = Q z / for 

all / < /; 

generating a sender element P^m+i) = Hi(ID y i, . . . , ID^+d, lnf S ( m +i>) 

associated with the sender y; 

generating a sender secret element 
s -s +s P, „ = y^'" + ' 5 „P, associated with the sender; wherein 

lnfs(m+D comprises a validity period for the recipient secret element; 

encoding the message Mto generate a ciphertext C using at least the 
information comprising lnf (n+ i) and the lower-level key generation parameters 
Q y/ for / > / and the sender secret element S y(m+1) , but not using the lower-level 

key generation parameters Q y/ for / < /; and 

decoding the ciphertext C to recover the message M using at least the 
recipient private key and the lower-level key generation parameters Q z/ for 



WO 2004/021638 PCT/US2003/026834 

-70- 

/ > / and the recipient secret element S z(n+1) , but not using the lower-level key 
generation parameters Q z ; for / < /. 



53. The method of claim 52, wherein both the first cyclic group d 
and the second cyclic group G 2 are of the same prime order q. 



54. The method of claim 52, wherein the first cyclic group Gi is an 

additive group of points on a supersingular elliptic curve or abelian variety, 
and the second cyclic group G 2 is a multiplicative subgroup of a finite field. 



55. The method of claim 52, wherein the function <§ is a bilinear, 
non-degenerate, and efficiently computable pairing. 



56. The method of claim 52, wherein: 
so is an element of the cyclic group ZJqZ; 

Qo is an element of the first cyclic group d; 
each of the elements P 2/ is an element of the first cyclic group d ; 
each of the elements P yi is an element of the first cyclic group G; 
each of the lower-level key generation secrets s z/ is an element of the 
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cyclic group Z/q/Z; 

each of the lower-level key generation secrets s y/ - is an element of the 
cyclic group Z/qZ; 

each secret element S z/ is an element of the first cyclic group d; 

each secret element S yi is an element of the first cyclic group d; 

each of the lower-level key generation parameters Q z/ - is an element of 
the first cyclic group d; 

each of the lower-level key generation parameters Q y , is an element of 
the first cyclic group d; 

the recipient element P z(n +ij is an element of the first cyclic group d; 
the sender element P y(m+ i) is an element of the first cyclic group d; 
the recipient secret element S z(/J+ i) is an element of the first cyclic group 

d; 

the sender secret element S y(m+ i) is an element of the first cyclic group 

d; 

ris an element of the cyclic group Z/qZ; and 
g is an element of the second cyclic group G 2 . 



57. The method of claim 52, wherein encoding the message M 

further includes: 

selecting a random parameter r, and 

encoding the message M to generate a ciphertext 
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C = [U 0 , U M , Un+u V\, wherein U 0 = rs B P and Ui = /P* for 2 < / < n+1 , 
wherein V= Me H 2 (gO. wherein g = e(Q 0 , P z i), wherein s B P is the recipient 

public key, and wherein g y = + , — , and 

decoding the ciphertext C further includes: 



recovering the message M using M = V®H 2 



58. A method of claim 57, wherein both the first cyclic group d and 
the second cyclic group G 2 are of the same prime order q. 



59. A method of claim 57, wherein the first cyclic group d is an 

additive group of points on a supersingular elliptic curve or abelian variety, 
and the second cyclic group G 2 is a multiplicative subgroup of a finite field. 



60. A method of claim 57, wherein the function § is a bilinear, non- 
degenerate, and efficiently computable pairing. 

61 . A method of claim 57, wherein: 

s 0 is an element of the cyclic group Z/qZ; 

Qo is an element of the first cyclic group d ; 
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each of the elements P zi is an element of the first cyclic group d; 

each of the elements P yi is an element of the first cyclic group G; 

each of the lower-level key generation secrets Sz, is an element of the 
cyclic group Z/gZ; 

each of the lower-level key generation secrets s yi is an element of the 
cyclic group Z/gZ; 

each secret element S z/ is an element of the first cyclic group d; 

each secret element S yi is an element of the first cyclic group d; 

each of the lower-level key generation parameters Q a is an element of 
the first cyclic group d; 

each of the lower-level key generation parameters Q yl is an element of 
the first cyclic group d; 

the recipient element P Z (n+i) is an element of the first cyclic group d; 
the sender element P y <m*D is an element of the first cyclic group d; 
the recipient secret element S z(/7+ i) is an element of the first cyclic group 

d; 

the sender secret element S y(m+ i) is an element of the first cyclic group 

d; 

ris an element of the cyclic group Z/gZ; and 
g y i is an element of the second cyclic group G 2 . 
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62. A method of claim 52, further comprising: 

selecting a third function H 3 capable of generating an integer of the 

cyclic group Z/q/Z from a two strings of binary digits; and 

selecting a fourth function H A capable of generating one binary string 
from another binary string; 

wherein encoding the message M further comprises: 

selecting a random binary string as {0,1 } n ; 
computing a random integer r = H 3 (cr, M); and 
generating the ciphertext C = [U 0 , U^, . . . , L/„+i, V, W\, 
wherein U 0 = rs B P and U, = rP 2/ for 2 < / < n+1 , wherein V = M © H 2 (sr r ), 
wherein g = e(Q 0 , P z i), wherein s B P is the recipient public key and wherein 
W= wherein W— E H 4(o)(M), E is a secure symmetric encryption scheme, and 

H 4 (o) is the key used with E, wherein g yl = + , — , and 

wherein decoding the ciphertext C further comprises: 
recovering the random binary string a using 



a = V®H, 



; and 



llC*(fl«H,.^)J' 

recovering the message /W using M = E 1 H 4(a) (W). 



63. A method of claim 62, wherein both the first cyclic group Gi and 
the second cyclic group G 2 are of the same prime order q. 
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64. A method of claim 62, wherein the first cyclic group d is an 

additive group of points on a supersinguiar elliptic curve or abelian variety, 
and the second cyclic group <G 2 is a multiplicative subgroup of a finite field. 



65. A method of claim 62, wherein the function § is a bilinear, non- 
degenerate, and efficiently computable pairing. 

66. A method of claim 62, wherein: 

s 0 is an element of the cyclic group Z/qrZ; 

Qo is an element of the first cyclic group d; 

each of the elements P zi is an element of the first cyclic group d; 

each of the elements P yi is an element of the first cyclic group Gi; 

each of the lower-level key generation secrets s zi is an element of the 
cyclic group Z/gZ; 

each of the lower-level key generation secrets s yi is an element of the 
cyclic group Z/gZ; 

each secret element S z/ is an element of the first cyclic group d; 
each secret element S yi is an element of the first cyclic group d; 
each of the lower-level key generation parameters Q zi is an element of 
the first cyclic group d; 

each of the lower-level key generation parameters Q y; is an element of 
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the first cyclic group G{; 

the recipient element P z(n+ i) is an element of the first cyclic group d; 
the sender element P y(m+ 1) is an element of the first cyclic group 61 ; 
the recipient secret element S z(n+ i) is an element of the first cyclic group 

G1; 

the sender secret element S y(m+ i) is an element of the first cyclic group 

Gi; 

r is an element of the cyclic group Z/qZ; and 
g y i is an element of the second cyclic group G 2 . 



67. A method of claim 62, further comprising: 
authenticating the ciphertext C by: 

computing an experimental random integer f = H 3 (<7, M); and 

confirming that U 0 = fPo and Ui = tP* for /+1 < / < n+1 . 



68. A method of sending a digital message between a sender and a 
recipient in a public key encryption scheme comprising the sender, the 
recipient and a plurality of n authorizers, wherein n > 1 and wherein the 

recipient can decode the digital message only if the recipient possesses 
authorization from the authorizers, the method comprising: 
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generating a recipient public key/ private key pair for the recipient; 
wherein the recipient private key is a secret of the recipient; 

generating a secret key s, ( 1 < i < n) for each of the authorizes, 

wherein each key secret key is known to its associated authorizer; 

generating a public key for each of the authorizes, wherein each public 
key is generated using at least the secret key for its associated authorizer; 

generating a signature for each of the authorizes by signing a string of 
binary digits Mi with the secret key of that authorizer; 

encrypting the digital message to form a ciphertext using at least the 
recipient's public key, the strings of binary digits Mi signed by the authorizers, 
and the public keys of the authorizers; and 

decrypting the ciphertext using at least the recipient's private key and 
the signatures generated by the authorizers. 

69. The method of claim 68, wherein at least one of the strings of 
binary digits is related to a parameter determining a validity period of the 
signatures generated by the authorizers. 



70. The method of claim 69, wherein at least one of the strings of 
binary digits is generated from information comprising the identity of the 
recipient. 
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71 . The method of claim 69, wherein at least one of the strings of 
binary digits is generated from information comprising the recipient public key. 



72. The method of claim 67, further comprising: 

generating a first cyclic group Gi of elements and a second cyclic 

group G 2 of elements; 

selecting a function e capable of generating an element of the second 
cyclic group G 2 from two elements of the first cyclic group Gi; 

selecting a generator P of the first cyclic group Gi; 

selecting a key generation secret of an authorizer as si; 
assigning the public key of an authorizer as s,P; 

selecting a first function Hi capable of generating an element of the first 
cyclic group d from the string of binary digits Mi 

generating a element Pm for each of the authorizers, wherein 
p m = Hi(SiP.Mi) for 1 < / < n; and 

signing the element Pw/to generate the signature Si = SiP M ,for each of 

the authorizers. 



73. The method of claim 72, wherein both the first group Gi and the 
second group G 2 are of the same prime order q. 
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74. The method of claim 72, wherein the first cyclic group Gi is an 

additive group of points on a supersingular elliptic curve or abelian variety, 
and the second cyclic group G 2 is a multiplicative subgroup of a finite field. 

75. The method of claim 72, wherein the function e is a bilinear, 
non-degenerate, and efficiently computable pairing. 

76. The method of claim 72, wherein each of the key generation 
secrets Sj is an element of the cyclic group Z/gZ; 

each of the public keys Sj is an element of the first cyclic group <Gh; 

each of the elements P m is an element of the first cyclic group d; and 

the recipient private key s is an element of Z/qZ. 

77. A method of sending a digital message between a sender and a 
recipient in a public key encryption scheme comprising the sender, the 
recipient and a plurality of authorizes including at least a root authorizer and 
n lower-level authorizers in the hierarchy between the root authorizer and the 
recipient, wherein n > 1 and wherein the recipient can decrypt the digital 

message only if the recipient possesses authorization from the authorizers, 
the method comprising: 
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generating a recipient public key/ private key pair for the recipient, 
wherein the recipient private key is a secret of the recipient; 

generating a secret key s, for the root authorizer and each of the lower 
level authorizes, wherein each key secret key is known to its associated 
authorizer; 

generating a public key for the root authorizer and each of the 
■ authorizes, wherein each public key is generated using at least the secret 
key for its associated authorizer; 

certifying documents each comprising the public key of each of the 
lower level authorizes to generate a signature, wherein the document 
comprising the public key of each lower level authorizer is certified by the 
authorizer above it in the hierarchy; 

certifying a document comprising the recipient public key, wherein the 
document is certified by the authorizer immediately above the recipient in the 
hierarchy; 

encrypting the digital message to form a ciphertext using at least the 
recipient's public key and the public keys of the authorizes and the 
document; and 

decrypting the ciphertext using at least the recipient's private key and 
the signatures generated by the authorizes. 



78. The method of claim 77, wherein at least one of the public keys 
of the authorizes is related to a parameter determining a validity period of the 
signatures generated by the authorizes. 
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79. The method of claim 77, wherein at least one of the strings of 
binary digits is generated from information comprising the identity of the 
recipient. 

80. The method of claim 77, wherein at least one of the strings of 
binary digits is generated from information comprising the recipient public key. 



81 . The method of claim 77, further comprising: 
generating a first cyclic group G1 of elements and a second cyclic 

group G2 of elements; 

selecting a function e capable of generating an element of the second 
cyclic group <G 2 from two elements of the first cyclic group d; 

selecting a generator P of the first cyclic group d; 

assigning the secret key of an authorizer as si; 
assigning the public key of an authorizer as s/P; 

selecting a first function Hi capable of generating an element of the first 
cyclic group d from the string of binary digits; 

generating an element P* for each of the lower level authorizes, 
wherein P m = Hi(s,P,M i+1 ) for 1 < / < n-1 and wherein M l+ i is related to the 
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identity and public key of the authorizer immediately below that authorizer in 
the hierarchy; and 

signing the elements P m to generate the signatures Si = S\P Mi . 



82. The method of claim 81 , wherein both the first group d and the 
second group G 2 are of the same prime order q. 

83. The method of claim 81 , wherein the first cyclic group d is an 

additive group of points on a supersingular elliptic curve or abelian variety, 
and the second cyclic group G 2 is a multiplicative subgroup of a finite field. 



84. The method of claim 81 , wherein the function e is a bilinear, 
non-degenerate, and efficiently computable pairing. 



85. The method of claim 81 , wherein each of the key generation 
secrets s\ is an element of the cyclic group Z/gZ; 

each of the public key Sj is an element of the first cyclic group d; 

each of the elements P M is an element of the first cyclic group d; and 

the recipient private key s is an element of the cyclic group Z/qZ. 
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86. A method of encrypting and decrypting a digital message 
between a sender and a recipient in a public-key encryption scheme 
comprising the sender, the recipient and an authorizer wherein the digital 
message is encrypted by the sender and decrypted by the recipient, the 
method comprising: 

(a) generating a recipient public key/ recipient private key pair; wherein 
the recipient private key is a secret of the recipient; 

(b) selecting a key generation secret known to the authorizer; 

(c) generating a recipient decryption key associated with time period i, 
wherein the recipient decryption key associated with time period i is related to 
the key generation secret, and wherein recipient decryption keys associated 
with time periods earlier than i, but not the recipient decryption keys 
associated with time periods later than i, can be generated from the recipient 
decryption key associated with time period i; 

(d) encrypting the digital message to form a ciphertext using at least 
the recipient public key, the time period parameter associated with time period 
i or a time period parameter associated with an earlier time period, and a 
recipient encryption key to create an encrypted digital message; and 

(e) decrypting the ciphertext using at least the recipient private key and 
the recipient decryption key associated with time period i. 

87. The method of claim 86 wherein the recipient decryption key 
associated with time period i in related to information identifying the recipient. 
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88. A method of sending a digital message between a sender and a 
recipient in a public-key encryption scheme comprising the sender, a plurality 
of clients including the recipient, and an authorizer, wherein the digital 
message is encrypted by the sender and decrypted by the recipient, the 
method comprising: 

(a) generating a recipient public key/ recipient private key pair for the 
recipient; wherein the recipient private key is a secret of the recipient; 

(b) generating a unique binary string associating the recipient with a 
leaf node in a B-tree; 

(c) generating an unique binary string associated with each ancestor 
node of the recipient leaf node; 

(d) generating an encryption key for the recipient leaf node and for 
each of the ancestor nodes for the recipient leaf node, wherein the encryption 
key for each node is associated with at least the binary string associated with 
that node; 

(e) generating a master secret known to the authorizer; 

(f) generating a recipient decryption key associated with an ancestor 
node of the recipient leaf node, wherein the ancestor node is not an ancestor 
of a leaf node associated with a client not authorized by the authorizer, 
wherein the recipient decryption key is associated with at least the binary 
string associated with that node and the master secret, and wherein the 
recipient decryption key associated with an ancestor node of the recipient leaf 
node forms a private key/ public key pair with the encryption key associated 
with the ancestor node of the recipient leaf node; 
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(g) encrypting the digital message to create an encrypted digital 
message using at least the recipient public key, and the encryption keys 
associated with the recipient leaf node and ancestor nodes of the recipient 
leaf node; and 

(h) decrypting the encrypted digital message using at least the recipient 
private key and the recipient decryption key associated with an ancestor node 
of the recipient leaf node. 

89. The method of claim 88, wherein the encryption key for the 
recipient leaf node and for each of the ancestor nodes for the recipient leaf 
node are related to a validity period parameter defining a validity period for the 
decryption key associated with that node. 

90. The method of claim 89, further comprising generating a long- 
lived certificate for the recipient, wherein the certificate comprises the 
recipient public key, the recipient serial number, wherein the recipient serial 
number is related to the binary string associating the recipient with the leaf 
node in a B-tree, and the validity period parameter. 

91 . The method of claim 88, wherein the nodes in the B-tree are 
associated with points on an elliptic curve or abelian variety. 



92. The method of claim 88, wherein the binary string associating 
the recipient with a leaf node in a B-tree is generated by a method comprising: 
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choosing a binary string associated with the root node of the B-tree; 

generating a binary string associated with each ancestor node of the 
recipient leaf node except for the root node, wherein the binary string 
associated with each ancestor node of the recipient leaf node except for the 
root node is generated using at least the binary string associated with the 

parent of that node; and 

generating a binary string associated with recipient leaf node, wherein 
the binary string associated with the recipient leaf node is generated using at 
least the binary string of the parent of that node. 

93. The method of claim 88, wherein the binary string associating 
the recipient with a leaf node in a B-tree is generated by a method comprising: 

choosing the binary string associated with each recipient leaf node; 

generating the binary string for the ancestor nodes of the recipient leaf 
node, wherein the binary string for each ancestor node of the recipient leaf 
node is generated using at least the binary strings associated with the child 
nodes of that node. 

94. The method of claim 93, wherein the B-tree is a Merkle tree. 



95. The method of claim 88, wherein the decryption key for the node 
providing cover for the recipient leaf node is generated by the method 
comprising: 
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(a) generating a first cyclic group d of elements and a second cyclic 

group G2 of elements; 

(b) selecting a first function Hi capable of generating an element of the 
first cyclic group G1 from a first string of binary digits; 

(c) generating an identifying string for the node providing cover for the 
for the recipient leaf node P n0 de = Hi(lnf B ). wherein lnf B is related to the binary 

string associated with that node; and 

(d) generating a secret element S = s c P no de for each node; wherein the 

secret element S is the decryption key for the node providing cover for the for 
the recipient leaf node. 

96. The method of claim 95, wherein the identifying string for the 
decryption key for the node providing cover for the recipient leaf node is also 
associated with the validity period parameter. 

97. The method of claim 88, wherein the digital message is 
encrypted by a method comprising: 

(a) generating a first cyclic group d of elements and a second cyclic 

group G2 of elements; 

(b) selecting a function e capable of generating an element of the 
second cyclic group G 2 from two elements of the first cyclic group d; 
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(c) selecting a generator P of the first cyclic group d ; 

(d) generating a key generation parameter Q = s c P; 

(e) selecting a first function Hi capable of generating an element of the 

first cyclic group G1 from a first string of binary digits; 

(f) selecting a second function H 2 capable of generating a second string 
of binary digits from an element of the second cyclic group G 2 ; 

(h) generating an identifying string P no£te = Hi(lnf B ) for each of m nodes 
defining the path from the recipient leaf node to the root node of the B- 
tree, wherein lnf B is related to the binary string associated with that 
node; 

selecting a random key generation secret r; 

encrypting the digital message to form a ciphertext C; wherein C is set 

to be: 

C = [rP, V1 V m ,], where Vi=M © H 2 (e(P, Pnode i) re c)), §(P, PnodeO e 

G z and Pnodei is the identifying string associated with node i, i = 1 , 

m; and 

encrypting a part of the ciphertext with the recipient public key PK B . 



98. The method of claim 97, wherein lnf B is also associated with the 
validity period parameter. 



,04/021638 PCT/US2003/026834 

-89- 

99. The method of claim 97, wherein both the first group Gi and the 
second group G 2 are of the same prime order q. 

1 00. The method of claim 97, wherein the first cyclic group d is an 

additive group of points on a supersingular elliptic curve or abelian variety, 
and the second cyclic group G 2 is a multiplicative subgroup of a finite field. 

101 . The method of claim 97, wherein the function e is a bilinear, 
non-degenerate, and efficiently computable pairing. 

1 02. The method of claim 98,wherein 
s c is an element of the cyclic group Z/qZ; 

Q is an element of the first cyclic group Gi; 

Identifying string P n0 de is an element of the first cyclic group Gi; and 
the secret element S is an element of the first cyclic group Gi. 

1 03. A method of sending a digital message between a sender and a 
recipient in a public-key encryption scheme comprising the sender, a plurality 
of clients including the recipient, and an authorizer, wherein the digital 
message is encrypted by the sender and decrypted by the recipient, the 

method comprising: 

(a) generating a recipient public key/ recipient private key pair for the 
recipient; wherein the recipient private key is a secret of the recipient; 
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(b) generating a binary string associated with the root node of the B- 
tree, wherein this binary string is related to a validity period parameter 
defining a validity period for a decryption key for a node providing cover for 
the recipient leaf node; 

(c) generating a unique binary string associating the recipient with a 

leaf node in a B-tree; 

(c) generating an unique binary string associated with each ancestor 
node of the recipient leaf node with the exception of the root node, wherein 
this binary string is associated with the position of its associated node in the 
B-tree; 

(d) generating an encryption key for the recipient leaf node and for 
each of the ancestor nodes for the recipient leaf node, wherein the encryption 
key for each node is associated with at least the binary string associated with 
that node; 

(e) generating a first master secret and a second master secret known 

to the authorizer; 

(f) generating a decryption key for the node providing cover for the 
recipient leaf node, wherein the node providing cover for the recipient leaf 
node is not an ancestor node of a leaf node of a recipient not authorized to 
decrypt a message, wherein this decryption key is related to the first master 
secret, the second master secret x, and the binary strings associated with the 
node providing cover for the recipient leaf node and ancestor nodes of the 
node providing cover for the recipient leaf node and wherein the decryption 
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key forms a private key/ public key pair with the encryption key associated 
with the node providing cover for the recipient leaf node; 

(g) encrypting the digital message to create an encrypted digital 
message using at least the recipient public key, and the encryption keys 
associated with the recipient leaf node and ancestor nodes of the recipient 
leaf node; and 

(h) decrypting the encrypted digital message using at least the recipient 
private key and the decryption key associated with the node providing cover 
for the for the recipient leaf node. 

1 04. The method of claim 1 03, further comprising generating a long- 
lived certificate for the recipient, wherein the certificate comprises the 
recipient public key, the recipient serial number, wherein the recipient serial 
number is related to the binary string associating the recipient with the leaf 
node in a B-tree, and the validity period parameter. 

1 05. The method of claim 1 03, wherein the B-tree is a Merkle tree 

1 06. The method claim 1 03, wherein the binary string associating the 
recipient with a leaf node in a B-tree is generated by a method comprising: 

choosing a binary string associated with a child of the root node of the 

B-tree; 
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generating a binary string associated with each ancestor node of the 
recipient leaf node except for the root node and the child of the root node, 
wherein the binary string associated with, each ancestor node of the recipient 
leaf node except for the root node and the child of the root node is generated 
using at least the binary string associated with the parent of that node; and 

generating a binary string associated with recipient leaf node, wherein 
the binary string associated with the recipient leaf node is generated using at 
least the binary string of the parent of that node. 

1 07. The method claim 1 03, wherein the binary string associating the 
recipient with a leaf node in a B-tree is generated by a method comprising: 

choosing the binary string associated with each recipient leaf node; 

generating the binary string for the ancestor nodes of the recipient leaf 
node, with the exception of the root node, wherein the binary string for each 
ancestor node of the recipient leaf node, with the exception of the root node, 
is generated using at least the binary strings associated with the child nodes 
of that node. 

108. The method claim 103, wherein the nodes in the B-tree are 
associated with points on an elliptic curve or abelian variety. 

1 09. The method of claim 108, wherein the decryption key for the 
node providing cover for the recipient leaf node is generated by the method 
comprising: 
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(a) generating a first cyclic group Gi of elements and a second cyclic 

group ©2 of elements; 

(b) selecting a first function Hi capable of generating a element of the 
first cyclic group Gi from a first string of binary digits; 

(c) generating the identifying string for the root node in the B-tree 
P mode = Hi(lnf R ) and wherein lnf R is related to the validity period parameter; 

(d) generating a secret element S R = s c Pmode for the root node; 

wherein the secret element S is the identity-based secret-key for the root 
node. 

(e) generating the binary string associated with the node providing 
cover for the recipient leaf node and for each ancestor node of the node 
providing cover for the recipient leaf node, with the exception of the root-node, 
Pm ... PbL- bi, wherein the binary string associated with the node providing 
cover for the recipient leaf node and for each ancestor node of the node 
providing cover for the recipient leaf node is of the form P no ae = Hi(lnf B ), 

wherein lnf B is related to the position of that node in the B-tree; 

(f) generating a secret element: 

§ _ s R + x(P6.+...+P4....*,), xP for the node providing cover for the 

recipient leaf, wherein the secret element S is the decryption key for the node 
providing cover for the recipient leaf node. 
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110. The method of claim 103, wherein the digital message is 
encoded to create the encoded digital message by a method comprising: 

(a) generating a first cyclic group d of elements and a second cyclic 

group G 2 of elements; 

(b) selecting a function e capable of generating an element of the 
second cyclic group G 2 from two elements of the first cyclic group G1; 

(c) selecting a generator P of the first cyclic group G1; 

(d) generating a key generation parameter Q = s c P; 

(e) selecting a first function H capable of generating an element of the 

first cyclic group G1 from a first string of binary digits; 

(f) selecting a second function H 2 capable of generating a second string 
of binary digits from an element of the second cyclic group G 2 ; 

(g) generating the identifying string for the root node in the B-tree 
P mode = Hi(lnf R ), wherein lnf R is related to the validity period parameter; 

(h) generating the binary string associated with the recipient leaf node 
and for each ancestor node of the recipient leaf node, with the 
exception of the root-node, P b i ... Pm-w. wherein the binary string the 
recipient leaf node and for each ancestor node of the recipient leaf 
node is of the form P n0 de= Hi(lnf B ), wherein lnf B is related to the 

position of that node in the B-tree; 

(i) selecting a random key generation secret r, 

(j) encrypting the digital message to form a ciphertext C; wherein C is 
set to be: 
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C = [rP, riV r(i>i,+...+P*._A ffl ) , V], where V=M e H 2 (e(P, PmodeY*)), 

e(P, Pmode) e G 2 ; and 

(k) encrypting a part of the ciphertext with the recipient public key PK B . 

111. The method of claim 1 1 0, wherein both the first group Gi and 
the second group G 2 are of the same prime order q. 

1 1 2. The method of claim 110, wherein the first cyclic group Gi is an 

additive group of points on a supersingular elliptic curve or abelian variety, 
and the second cyclic group G 2 is a multiplicative subgroup of a finite field. 

113. The method of claim 1 1 0 wherein the function e is a bilinear, 
non-degenerate, and efficiently computable pairing. 

114. The method of claim 1 1 0 wherein 

s c and x are elements of the cyclic group Z/gZ; 

Q is an element of the first cyclic group Gi; 

Identifying strings P node and Pmode are elements of the first cyclic group 
<Gh; and 

the secret element S is an element of the first cyclic group Gi. 
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1 1 5. The method of claim 1 09, wherein the decryption key for the 
node providing cover for the recipient leaf node is updated to generate an 
updated decryption key, the method comprising: 

(a) choosing a validity period for the updated decryption key; 

(b) choosing a new value for the second master secret x; and 

(c) generating the updated decryption key, wherein the updated 
decryption key is associated with an ancestor node of the recipient leaf node, 
wherein the ancestor node is not an ancestor of a leaf node associated with a 
client not authorized by the authorizer during the validity period for the 
updated decryption key, 

wherein the updated decryption key is related to the first master secret 
s c , the second master secret x, the new value for the second master secret x, 
and the binary strings associated with the ancestor node of the recipient leaf 
node and ancestor nodes of the ancestor node of the recipient leaf node and 
wherein the decryption key forms a private key/ public key pair with the 
encryption key associated with the ancestor node of the recipient leaf node. 

1 1 6. The method of claim 1 1 5, wherein the updated decryption key is 
of the form: 

s c (Pti + Pt2) + xiPm + ... + x m P ( bi..bm), wherein 
s c is the first master secret; 
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Pti is the binary string associated with root node during the validity 
period of the decryption key; 

P T2 is a binary string associated with root node during the validity 
period of the updated decryption key; 

xi ... x m are associated with the second master secret and the new 
value for the second master secret; and 

Pbi P(bi..bm), are the binary strings associated with node providing 
cover for the recipient leaf node during the validity period for the updated 
decryption key and the ancestor nodes of this node except for the root mode. 



